Yes, it's a pain having to type a password every time you visit a secured site with Microsoft's Internet Explorer. It's much easier for a user to check the "Remember my password" box at login. But this also makes it easier for someone else to gain unauthorized access to these online user accounts using tools like IE PassView. Someone using IE PassVIew can retrieve any of the following saved password types:

AutoComplete Passwords: When you enter a Web page that contains a form with user/password fields and a login button, Internet Explorer may ask you if you want to save the password, after pressing the login button. If you choose to save the password, the password is saved as AutoComplete password. Be aware that some Web sites (like Yahoo login page) deliberately disable the AutoComplete feature, in order to avoid password stealing by other users.

HTTP Authentication Passwords: Some Web sites allow the user to enter only after typing user and password in a separated dialog-box. If you choose to save the password in this login dialog-box, the password is saved as HTTP authentication password.

FTP Passwords: Simply the passwords of FTP addresses (ftp://...)

Source: NirSoft.net IE PassView works with IE 6 and IE 7, although IE 7 provides two safeguards. According to NirSoft,

Starting from version 7.0 of Internet Explorer, Microsoft completely changed the way that passwords are saved. In previous versions (4.0 - 6.0), all passwords were saved in a special location in the Registry known as the "Protected Storage". In version 7.0 of Internet Explorer, passwords are saved in different locations, depending on the type of password. Each type of passwords has some limitations in password recovery:

AutoComplete Passwords: These passwords are saved in the following location in the Registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2. The passwords are encrypted with the URL of the Web sites that asked for the passwords, and thus they can only be recovered if the URLs are stored in the history file. If you clear the history file, IE PassView won't be able to recover the passwords until you visit again the Web sites the asked for the passwords. Alternatively, you can add a list of URLs of Web sites that requires user name/password into the Web sites file (see below).

HTTP Authentication Passwords: These passwords are stored in the Credentials file under Documents and Settings\Application Data\Microsoft\Credentials, together with login passwords of LAN computers and other passwords. Due to security limitations, IE PassView can recover these passwords only if you have administrator rights

. Access to a victim's machine is necessary in order to either run the password retrieval process locally or to retrieve the password information and access it at the attackers location. Security managers working in organizations where IE is the standard browser should be aware of issues related to saved passwords and the ease with which they can be retrieved with free utilities like IE PassVIew. ClearAllHistory.comhas some tips for protecting online passwords when using IE.

To delete stored passwords in Internet Explorer (IE 6):

Select "Tools"

Select "Internet Options".

Open the "Content" tab.

Click the "AutoComplete" button.

Click the "Clear Passwords".

In IE 7, select the "General" tab instead and click "Delete" under Browsing History. To prevent users from saving passwords in the future, perform the following steps in IE 6:

Select "Tools"

Select "Internet Options".

Open the "Content" tab.

Click the "AutoComplete" button

Remove check marks from the "User names and passwords on forms" boxes.

Click OK.

Accomplishing this in IE 7 is very similar. Once in the "Content" tab, click on "Settings" in the "AutoComplete" section. Uncheck all boxes.

Some name

Independent security researcher and IT professional with over 36 years of experience in programming, network engineering and security. Author of four books (Just Enough Security, Microsoft Virtualization, Enterprise Security: A Practitioner's Guide, and Incident Management and Response Guide) and various papers on security management.